Skip main navigation

Compliance in the Cloud

In this video, you will learn how to be compliant with guidelines and standards within the cloud.
If we are moving into the cloud, we want to be sure that we can extend our compliance to the cloud. If we have data under most privacy legislation, if we have something that classes as personally identifiable data, and under the GDPR, bear in mind, this could be a telephone number, an email address. What constitutes personally identifiable information is very broad. So this responsibility sits with the person collecting the data, the data controller. If you have this data and you store it in the cloud, and the cloud provider fails, whose responsibility is it? Still your responsibility. So this is really important to understand.
Without cloud services, we have some restrictions that arise legally through legislation like GDPR that mean we cannot store personally identifiable information outside of a particular jurisdiction. So with the European Union and GDPR, you cannot store PII outside of the GDPR area unless there are equivalent protections provided as we described earlier in the course. So we need to understand, where is the cloud? Where is that data stored? And this is a big question. With big international companies like Microsoft, Google, Amazon, where are their data centres? Where are the administrators of those data centres? So the low cost of cloud is very attractive, but we have a very low visibility of how these services are maintained sometimes.
Some of these services, from an identity and access management perspective, and also from a security governance perspective, many of these services are very low-cost to initiate, and so remain very low-visible within, have a very low level of visibility within our organizations. So when we’re using these services, corporately, we may have good governance. But increasingly, what you’ll see is these arising through much more iterative use by employees, where employees just decide to start using something like Slack or Dropbox. So we need to make sure we can extend our governance locally to cover cloud services, that we manage procurement of cloud services, and also that any services we buy are compliant with whatever requirements we have.
Noncompliance becomes really easy with cloud services, and it can be accomplished without any awareness. You may not know what some of your users are doing with your data.

In this video, you will learn how to be compliant with guidelines and standards within the cloud. Important points to remember are:

  • the data controller retains accountability
  • personally identifiable information (PII) applies geographically
  • understand ‘where’ the data is stored, and where the administrators are

Reflect and share: Were you unaware of any of the points mentioned above? How will this change your operations? Share in the comments below.

This article is from the free online

Cyber Security Foundations: Reinforcing Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education